CYBERSECURITY researchers have disclosed details of a critical vulnerability, CVE-2026-25874, affecting Hugging Face’s LeRobot platform, which could allow unauthenticated remote code execution via unsafe deserialization of pickle data. The flaw stems from the use of pickle[.]loads() to deserialize data received over unauthenticated gRPC channels in the PolicyServer and robot client components, exposing the server or client to arbitrary code execution by a network-reachable attacker.
The issue, described by VulnCheck as dangerous because LeRobot runs AI inference tasks with elevated privileges, has been validated against LeRobot version 0.4.3 and remains unpatched, with a fix planned for version 0.6.0. According to a GitHub advisory, the attacker can trigger the vulnerability by sending a crafted pickle payload through specific gRPC calls such as SendPolicyInstructions, SendObservations, or GetActions.
Resecurity also attributes the root cause to the async inference PolicyServer component, noting that an unauthenticated attacker who can reach the PolicyServer port could execute commands on the host running the service. The LeRobot team has acknowledged the security risk, indicating that parts of the codebase require substantial refactoring as the project evolves toward production deployments.